As is common these days, I was complaining about something on Twitter.
For security reasons we require you to have long, unpredictable password.
Also, we need you to change it every sixty days.
Critically, we also don’t allow you to use a password manager.
— Stephen Darlington (@sdarlington) May 9, 2022
It’s easy to complain about security practices which, if I’m honest, is why I do it. But there is an important point, one that I included in a follow-up tweet:
Hardly an original insight, but the fact that these policies force you to do things that are *less* secure than the alternatives is what bugs me most about them.
— Stephen Darlington (@sdarlington) May 9, 2022
The security team in many companies models itself on the DUP. Say no to everything. But – and this is the key – offer no alternative.
The tweet above is about passwords but I see it everywhere. Another common one is transferring files. I understand why sharing files can be problematic. Confidential data can be exported, either deliberately or accidentally. Viruses can be imported. Security defects can be exploited.
So yes, blocking OneDrive or DropBox is part of the job. What is missing is a legitimate alternative.
Security teams should be enabling staff to safely perform their jobs. Instead, they block the insecure methods and stop.
If I need to share a file or remember a complex password and you don’t provide suitable tools, you did not prevent a security problem. You forced people to write their password on a PostIt note and stick it on their monitor. You pushed someone to use some dodgy new file sharing service that you haven’t heard of.
In the attempts to make the system more secure, you, best case, prevented someone from doing their job. Worst case, you pushed someone into doing something insecure.
In either case, you effectively delegated security to everyone else.